NAT Box-2-Box High Availability feature on

ISRUMA SANKAR MOHANTY

NAT Box-to-Box High-Availability feature on ISR

BRKARC-2033

Agenda

• Redundancy, A Wise Investment

• Box-2-Box High Availability feature

• NAT-HA Solution

• Design Recommendation

• Implementation Topology

• Configuration Design

• Troubleshooting Tips

• Conclusion

Redundancy a Wise Investment…

Box-2‐Box High Availability Feature

• B2B HA feature is used to make IP network more resilient to potential link and router failures.

• The Key Elements

B2B HA Feature :

• The services provided by the RG Infra present in the ISR G2 platforms is used by NAT to implement the HA feature.

• RG Infra defines multiple redundancy groups to which applications can subscribe and function in an Active-Standby mode across different routers.

RG Infra (Redundancy Group Infrastructure) :

• The protocol is responsible for determining the RG active/standby role and triggers switchover.

• Responsible for communicating with the RG Peers.

RG Protocol :

• RG Transport creates the Transport information structure which enables communication channel setup between Active and Standby.

• The Transport information is negotiated over the Control link.

RG Transport :

• Manages the Creation/Deletion of virtual interfaces per RG.

RG Interface :

• Detects the Faults and updates the run time priority.

• Responsible for communicating Control interface status to the RG Protocol.

• Communicates the updated priority to the RG protocol.

RG Fault :

• The configuration related to RG

• Informs the core about new RG groups.

RG Config :

• This is the core infrastructure for High Availability.

• RG state progression & notifications

• Receives new group information from the RG config.

• Receives the Role Information

RG Framework :

NAT- HA Solution

NAT HA Solution :

• NAT-HA feature enables application connectivity to continue unaffected in the event of potential failures around the NAT border.

• Currently the feature is used in a HSRP-Like fashion that means configuration would have Virtual IP Addresses(VIP) and Virtual MAC.

Terminologies & Working

• RG Control Interface

• Dedicated interface used for the exchange of control Information by RG.

• Used for RG protocol negotiation

• Used for RG transport query

• Used for peer reachability detection

Note : The Control & Data Interfaces can be on the same physical interface.

Terminologies & Working• RG Data Interface :

• Dedicated physical interface that will provide connectivity between the twoISR routers.

• Used by the RG Infra for data information exchanges between ISR devices, such as NAT’s session information.

Terminologies & Working

• RG AR(Asymmetric-Routing) Interface

• Dedicated physical interface used for forwarding AR packets from Standby to Active and vice versa; (optional)

INIT

RESET

STANDBY

HOT

ACTIVE

SOLO

ACTIVE STANDBY

RESET ACTIVE

STANDBY PRESENT BULK SYNC

SUCCEEDED

State Transition in B2B HA NAT :

• B2BHA States are Active, Standby Hot, Standby Cold and Init.

• State changes from

Active Init Standby

“or”

Standby Active

• A router with High priority value is given the Active Role. If both router’s have the same priority, then the IP address is used to decide the role. The router with higher control interface IP address would be given the role of Active.

Design Recommendation

Software• Supported from 15.3(2)T and later releases.

Behavior

• HSRP-Like Behavior.

• We need a Virtual IP & VMAC.

Design

• Control and Data interfaces can be on the same physical interface but different logical ones.

Tracking

• Multiple objects could be tracked by the RG and influence the priority of the RG.

• We can use IP SLA or induce it to the RG Fault via “redundancy rii <num> decrement <val>”

Design Consideration :

Failover Triggers

Power loss/reload

Control interface down

Data interface downTracked object failure

Priority of Active goes down below

the Standby

Implementation Topology

B2BHA NAT LAN-LAN Topology

WAN CLOUD

B2BHA NAT WAN-LAN Topology

Configuration Design

Supported NAT Configurations

Simple Static NAT Configuration

Extended Static NAT configurations

Network Static NAT configurations

Dynamic NAT and PAT configurations

NAT Inside source, Nat outside source & NAT inside destination rules

NAT rules for VRF to IP Cases

NAT Rules for VRF to VRF(within same VRF) cases

Configuration Design :

Unsupported NAT Configurations :

NAT Configurations with interface overload options

NAT with MPLS L3VPN

NVI-NAT Feature

Supported ALGs :

The only Supported ALG at this time is FTP.

B2B NAT-HA Configuration Key Elements :

Step 1 : Configure RG-ID

ISR1(config)#redundancy

ISR1(config-red)#application redundancy

ISR1(config-red-app)#group 1

ISR1(config-red-app-grp)#shutdown

This is the first step where we need to configure RG infra

and ‘shutdown’ it before proceeding further steps.

Currently we support only two RG groups.

Step 2 : Mention the Control & Data interface.

ISR1(config-red-app-grp)#control Ethernet0/1.10

ISR1(config-red-app-grp)#data Ethernet0/1.20

Define both the Control and Data interfaces.

Step 3: Mention the Protocol

ISR1(config-red-app)#protocol 1

Define the RG protocol. Currently we support only 1

protocol (protocol 1)

Step 4 : Mention the Asymmetric-routing interface

(optional)

ISR1(config-red-app-grp)#asymmetric-routing interface

Ethernet0/1.30

The same Interface can be used as of the Data and Control

interface.

Step 5 : Setup Preempt, priority & Group name.(optional)

..app-grp)#name CISCO

…app-grp)#preempt

…app-grp)#priority 150

This set of commands are optional.

Naming the RG group.

Allows the router to become the active router when the

priority is higher.

Redundancy Configurations :

Step 1 : Configure the Redundancy rii.

ISR1(config)#interface GigabitEthernet 0/0/0

ISR1(config-if)#redundancy rii 100

Each interface which is part of RG infra should

be configured with unique number on a device.

Here ‘number’ is a unique identification number

for each interface which is part of RG infra.

Step 2 : Configure RG-id & Virtual IP

ISR1(config-if)#redundancy group 1 ip 10.2.2.20

exclusive decrement 100

Each interface on LAN should be configured

with RG-id & Virtual IP address. This VIP will

only be enabled on device which is in active

redundancy group state. This LAN/WAN

interface should be already assigned with IP

address. And also VIP should be chosen from

same subnet of interface’s address.

Step 3 : Configure NAT inside & outside

interfaces

ISR1(config-if)#ip nat inside/outside

The inside and outside NAT interfaces should be

configured

Interface Configurations :

NAT Configurations :

Step 1 : Configure NAT Statements for RG Infra

ISR1(config)# ip nat inside source list acl_100

pool pool_100 redundancy 1 mapping-id 120

overload

Each NAT statements which are part of RG infra

should be assigned with ‘RG-id’ & ‘map-id’

Make RG to Roll :

Step 1 : Enable RG Infra

ISR1(config)#redundancy

ISR1(config-red)#application redundancy

ISR1(config-red-app)#group 1

ISR1(config-red-app-grp)#no shutdown

ISR1(config-red-app-grp)#

After configuring all NAT rules, make sure similar

NAT configuration is applied on other peer router

as well, and then RG can be enabled to start the

negotiations. After completing NAT config on

both NAT routers, RG should be enabled.

Standby

Active

AR Packets

WAN CLOUD

RG1

AR

RG1

WAN CLOUD

WAN BRII 1

WAN ARII 1

LAN

AR

Asymmetric-Routing Support Enabled

Standby

Active

AR Packets

WAN CLOUD

RG1

AR

RG1

WAN CLOUD

WAN BRII 1

WAN ARII 1

LAN

AR

Asymmetric-Routing Support Enabled

Standby

Active

AR Packets

WAN CLOUD

RG1

AR

RG1

WAN CLOUD

WAN BRII 1

WAN ARII 1

LAN

AR

Asymmetric-Routing Support Enabled

Standby

Active

AR Packets

WAN CLOUD

RG1

AR

RG1

WAN CLOUD

WAN BRII 1

WAN ARII 1

LAN

AR

Asymmetric-Routing Support Enabled

Troubleshooting Tips

show ip nat redundancy <RG-id>

show ip nat translations redundancy <RG-id> [verbose]

show redundancy application group <RG-id>

show redundancy application protocol group <RG-id>

show ip route

show ip cef

show tech-support

Troubleshooting tips :

RG ID: 1 RG Name: RG1

Current State: IPNAT_HA_RG_ST_ACT_BULK_DONE

Previous State: IPNAT_HA_RG_ST_ACTIVE

Recent Events: Curr: IPNAT_HA_RG_EVT_RF_ACT_STBY_HOT

Prev:IPNAT_HA_RG_EVT_RF_ACT_STBY_BULK_START

Statistics :

Static Mappings: 1, Dynamic Mappings: 0

Sync-ed Entries :

NAT Entries: 0, Door Entries: 0

Mapping ID Mismatches: 0

Forwarded Packets: 0, Dropped Packets : 0

Redirected Packets: 0

ISR1#show ip nat redundancy 1

RG ID: 1 RG Name: RG1

Current State: IPNAT_HA_RG_ST_STBY_HOT

Previous State: IPNAT_HA_RG_ST_STBY_COLD

Recent Events: Curr: IPNAT_HA_RG_EVT_RF_STBY_COLD

Prev: IPNAT_HA_RG_EVT_NAT_CFG_REF

Statistics :

Static Mappings: 1, Dynamic Mappings: 0

Sync-ed Entries :

NAT Entries: 0, Door Entries: 0

Mapping ID Mismatches: 0

Forwarded Packets: 0, Dropped Packets : 0

Redirected Packets: 0

ISR2#show ip nat redundancy 1

ISR1#show ip nat translations redundancy 1 verbose

--- 6.6.6.6 5.5.5.5 --- ---

create 00:00:10, use 00:00:10 timeout:0,

flags:

static, created-by-local, use_count: 0, router/rg id: 0/1 ha_entry_num: 0

mapp_id[in/out]: 120/0, entry-id: 1, lc_entries: 0

ISR2#show ip nat translations redundancy 1 verbose

--- 6.6.6.6 5.5.5.5 --- ---

create 00:01:38, use 00:01:38 timeout:0,

flags:

static, created-by-local, use_count: 0, router/rg id: 0/1 ha_entry_num: 0

mapp_id[in/out]: 120/0, entry-id: 1, lc_entries: 0

Common error cases :

debug ip nat redundancy errors

Messages info :

debug ip nat redundancy messages [[detailed] [errors ]]

Packet info :

debug ip nat redundancy packets

Data base info :

debug ip nat redundancy db [errors]

Check pointing Facility :

debug ip nat redundancy cf

Redundancy Framework :

debug ip nat redundancy rf [errors]

Debugs for TAC Analysis :

Conclusion

• RG on active is reloaded with

“redundancy application reload group <rg-number> self”

• RG on active is shut down with the use of these CLI commands in

redundancy config mode:

ISR1(config-red-app)#group 1

ISR1(config-red-app-grp)#shutdown

• clear ip nat translation redundancy <RG-id> *

• clear ip nat translation redundancy <RG-id> forced

Useful Commands :

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-

book/iadnat-b2b-ha.html

https://supportforums.cisco.com/document/12206251/nat-box-box-high-availability-function-

overview

Useful Links :

• Purpose of Redundancy.

• Redundancy for the NAT Traffic and it’s Importance.

• Key Elements for NAT B2B HA Feature.

• Key Elements

• State Changes

• Design Recommendation.

• Triggers for Failover

• Supported Topologies.

• Supported & Unsupported Config.

• Configuration Design.

• Troubleshooting tips.

Key Takeaways :

“Q & A”

Participate in the “My Favorite Speaker” Contest

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include

• Your favorite speaker’s Twitter handle

• Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Promote Your Favorite Speaker and You Could Be a Winner

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.

Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

• Related sessions

Thank you